Dixons Carphone discloses data breach affecting 5.9M payment cards, 105k of which were compromised

European electronics and telecoms retailer Dixons Carphone has revealed a hack of its systems in which the intruder/s attempted to compromise 5.9 million payment cards.

In a statement put out today it says a review of its systems and data unearthed the data breach. It also confirms it has informed the UK’s data watchdog the ICO, financial conduct regulator the FCA, and the police.

According to the company, the vast majority of the cards (5.8M) were protected by chip-and-PIN technology — and it says the data accessed in respect of these cards contains “neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made”.

However around 105,000 of the accessed cards were non-EU issued, and lacked chip-and-PIN, and it says those cards have been compromised.

“As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident,” it writes.

In addition to payment cards, the intruders also accessed 1.2M records containing non-financial personal data — such as name, address or email address.

“We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take,” the company adds.

In a statement about the breach, Dixons Carphone chief executive, Alex Baldock, said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.

“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”

The company does not reveal when its systems were compromised; nor exactly when it discovered the intrusion; nor how long it took to launch an investigation — writing only that: “As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents.”

New European data protection rules are very strict in respect of data breaches, requiring that data controllers report any security incidents where personal data has been lost, stolen or otherwise accessed by unauthorized third parties to their data protection authority within 72 hours of them becoming aware of it. (Or even sooner if the breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms”.)

And failure to promptly disclosure breaches can attract major fines under the GDPR data protection framework.

Yesterday the ICO issued a £250k penalty for a Yahoo data breach dating back to 2014 — though that was under the UK’s prior data protection regime which capped fines at a maximum of £500k. Whereas under GDPR fines can scale up to 4% of a company’s global annual turnover (or €20M, whichever is greater).

We’ve reached out to the ICO for comment on the Dixons Carphone breach and will update this story with any response. Update: An ICO spokesperson said: “An incident involving Dixons Carphone has been reported to us and we are liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers. Anyone concerned about lost data and how it may be used should follow the advice of Action Fraud.”

Carphone Warehouse, a mobile division of Dixons Carphone, also suffered a major hack in 2015 — and the company was fined £400k by the ICO in January for that data breach which affected around 3M people.

The company’s stock dropped around 5% this morning after it reported the latest breach, before recovering slightly but still down around 3.5% at the time of writing.